Prophet Spider Exploits CVE-2021-22941

  |  Source: 

Prophet Spider exploits CVE-2021-22941

Industry: N/A | Level: Tactical | Source: CrowdStrike

CrowdStrike intelligence provides research of a recent attack by the threat group, Prophet Spider. The threat adversary exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. "From the exploit, the threat actors were able to upload a webshell to the IIS server." Following the exploitation, the attacker checked for connectivity using nslookup and utilized PowerShell with encoded and invoke-expression commands to download additional files. The threat group's preference for downloading and utilizing the "wget" utility has been observed in various operations.

  • Anvilogic Scenario: Prophet Spider - Initial Setup Activity
  • Anvilogic Use Cases:
  • Web Application File Upload
  • Common Reconnaissance Commands
  • Common Application Security Testing Tools
  • Encoded Powershell Command
  • Executable File Written to Disk
  • Invoke-WebRequest Command
  • Invoke-Expression Command

Get trending threats published weekly by the Anvilogic team.

Sign Up Now